The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Security issue re draft-ietf-mpls-in-ip-or-gre-07
> Destination address verification checks (disallow anything coming to > your routers) at the border, however, is something that is not as > simple One thing you might be able to do is: - create a set of loopbacks from a particular address range, - a decapsulator doesn't accept encapsulated packets unless they are destined for an address within that range - filter any packet entering the network from outside with a destination address in that range. > when in place, source-based decapsulator checks eliminate the threats > which can be eliminated Yes, but on the other hand: - possible performance implications - presumption that some higher layer is signaling the allowable source addresses - not always needed. So what we are arguing about now is whether the IETF should determine the proper set of tradeoffs and try to force it on the users, or whether the users should be able to determine their own set of tradeoffs (giving them more flexibility, but raising the chances that an insecure configuration will be created).
|
|